sublimehighRule

Issuu document with suspicious embedded link

Detects when an Issuu document contains suspicious links or text, where the document is set to open in full screen mode. The rule analyzes both embedded links and document content for malicious indicators, particularly focusing on suspicious top-level domains and language patterns.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1036 T1027

initial-accessdefense-evasion

Detection Query

type.inbound
and any(body.links,
        .href_url.domain.root_domain == "issuu.com"
        and .href_url.query_params == "fr=xKAE9_zU1NQ" // opens the document full screen
        // suspicious link in the Issuu document
        and (
          any(filter(ml.link_analysis(., mode="aggressive").additional_responses,
                     strings.icontains(.url.path, "/links/")
              ),
              // less than 3 links in the Issuu document
              length(.json["1"]) < 3
              and any(.json["1"],
                      strings.parse_url(.["url"]).domain.tld in $suspicious_tlds
                      or strings.parse_url(.["url"]).domain.domain in $free_subdomain_hosts
                      or strings.parse_url(.["url"]).domain.root_domain in $free_subdomain_hosts
                      or ml.link_analysis(strings.parse_url(.["url"])).credphish.disposition == "phishing"
              )
          )
          // or, credential phishing language on the page
          or any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.,
                                                             mode="aggressive"
                                            ).screenshot
                                   ).text
                 ).intents,
                 .name == "cred_theft" and .confidence != "low"
          )
        )
)
and not profile.by_sender_email().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Issuu document with suspicious embedded link"
description: "Detects when an Issuu document contains suspicious links or text, where the document is set to open in full screen mode. The rule analyzes both embedded links and document content for malicious indicators, particularly focusing on suspicious top-level domains and language patterns."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(body.links,
          .href_url.domain.root_domain == "issuu.com"
          and .href_url.query_params == "fr=xKAE9_zU1NQ" // opens the document full screen
          // suspicious link in the Issuu document
          and (
            any(filter(ml.link_analysis(., mode="aggressive").additional_responses,
                       strings.icontains(.url.path, "/links/")
                ),
                // less than 3 links in the Issuu document
                length(.json["1"]) < 3
                and any(.json["1"],
                        strings.parse_url(.["url"]).domain.tld in $suspicious_tlds
                        or strings.parse_url(.["url"]).domain.domain in $free_subdomain_hosts
                        or strings.parse_url(.["url"]).domain.root_domain in $free_subdomain_hosts
                        or ml.link_analysis(strings.parse_url(.["url"])).credphish.disposition == "phishing"
                )
            )
            // or, credential phishing language on the page
            or any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.,
                                                               mode="aggressive"
                                              ).screenshot
                                     ).text
                   ).intents,
                   .name == "cred_theft" and .confidence != "low"
            )
          )
  )
  and not profile.by_sender_email().any_messages_benign
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
  - "Free file host"
  - "Evasion"
detection_methods:
  - "URL analysis"
  - "URL screenshot"
  - "Natural Language Understanding"
  - "Optical Character Recognition"
id: "0d73f43d-d9b4-594d-ba63-7b93784fb33f"